pf: enable the syncookie feature for IPv6
When syncookie support was added to pf the relevant work was only done in pf_test(), not pf_test6(). Do this now. MFC after: 1 week Reviewed by: kp Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D41502
This commit is contained in:
parent
9642d948c0
commit
92d4152295
@ -8108,6 +8108,15 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
|
|||||||
pd.p_len = pd.tot_len - off - (pd.hdr.tcp.th_off << 2);
|
pd.p_len = pd.tot_len - off - (pd.hdr.tcp.th_off << 2);
|
||||||
pd.sport = &pd.hdr.tcp.th_sport;
|
pd.sport = &pd.hdr.tcp.th_sport;
|
||||||
pd.dport = &pd.hdr.tcp.th_dport;
|
pd.dport = &pd.hdr.tcp.th_dport;
|
||||||
|
|
||||||
|
/* Respond to SYN with a syncookie. */
|
||||||
|
if ((pd.hdr.tcp.th_flags & (TH_SYN|TH_ACK|TH_RST)) == TH_SYN &&
|
||||||
|
pd.dir == PF_IN && pf_synflood_check(&pd)) {
|
||||||
|
pf_syncookie_send(m, off, &pd);
|
||||||
|
action = PF_DROP;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
action = pf_normalize_tcp(kif, m, 0, off, h, &pd);
|
action = pf_normalize_tcp(kif, m, 0, off, h, &pd);
|
||||||
if (action == PF_DROP)
|
if (action == PF_DROP)
|
||||||
goto done;
|
goto done;
|
||||||
@ -8117,9 +8126,45 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
|
|||||||
V_pfsync_update_state_ptr(s);
|
V_pfsync_update_state_ptr(s);
|
||||||
r = s->rule.ptr;
|
r = s->rule.ptr;
|
||||||
a = s->anchor.ptr;
|
a = s->anchor.ptr;
|
||||||
} else if (s == NULL)
|
} else if (s == NULL) {
|
||||||
action = pf_test_rule(&r, &s, kif, m, off, &pd,
|
/* Validate remote SYN|ACK, re-create original SYN if
|
||||||
&a, &ruleset, inp);
|
* valid. */
|
||||||
|
if ((pd.hdr.tcp.th_flags & (TH_SYN|TH_ACK|TH_RST)) ==
|
||||||
|
TH_ACK && pf_syncookie_validate(&pd) &&
|
||||||
|
pd.dir == PF_IN) {
|
||||||
|
struct mbuf *msyn;
|
||||||
|
|
||||||
|
msyn = pf_syncookie_recreate_syn(h->ip6_hlim,
|
||||||
|
off, &pd);
|
||||||
|
if (msyn == NULL) {
|
||||||
|
action = PF_DROP;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
action = pf_test6(dir, pflags, ifp, &msyn, inp,
|
||||||
|
&pd.act);
|
||||||
|
m_freem(msyn);
|
||||||
|
if (action != PF_PASS)
|
||||||
|
break;
|
||||||
|
|
||||||
|
action = pf_test_state_tcp(&s, kif, m, off, h,
|
||||||
|
&pd, &reason);
|
||||||
|
if (action != PF_PASS || s == NULL) {
|
||||||
|
action = PF_DROP;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
s->src.seqhi = ntohl(pd.hdr.tcp.th_ack) - 1;
|
||||||
|
s->src.seqlo = ntohl(pd.hdr.tcp.th_seq) - 1;
|
||||||
|
pf_set_protostate(s, PF_PEER_SRC, PF_TCPS_PROXY_DST);
|
||||||
|
|
||||||
|
action = pf_synproxy(&pd, &s, &reason);
|
||||||
|
break;
|
||||||
|
} else {
|
||||||
|
action = pf_test_rule(&r, &s, kif, m, off, &pd,
|
||||||
|
&a, &ruleset, inp);
|
||||||
|
}
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user